T1134.005 SID-History Injection
Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. 1 An account can hold additional SIDs in the SID-History Active Directory attribute 2, allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).
With Domain Administrator (or equivalent) rights, harvested or well-known SID values 3 may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as Remote Services, SMB/Windows Admin Shares, or Windows Remote Management.
Item | Value |
---|---|
ID | T1134.005 |
Sub-techniques | T1134.001, T1134.002, T1134.003, T1134.004, T1134.005 |
Tactics | TA0005, TA0004 |
Platforms | Windows |
Permissions required | Administrator, SYSTEM |
Version | 1.0 |
Created | 18 February 2020 |
Last Modified | 09 February 2021 |
Procedure Examples
ID | Name | Description |
---|---|---|
S0363 | Empire | Empire can add a SID-History to a user if on a domain controller.12 |
S0002 | Mimikatz | Mimikatz‘s MISC::AddSid module can appended any SID or user/group account to a user’s SID-History. Mimikatz also utilizes SID-History Injection to expand the scope of other components such as generated Kerberos Golden Tickets and DCSync beyond a single domain.1110 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1015 | Active Directory Configuration | Clean up SID-History attributes after legitimate account migration is complete. |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0026 | Active Directory | Active Directory Object Modification |
DS0009 | Process | OS API Execution |
DS0002 | User Account | User Account Metadata |
References
-
Microsoft. (n.d.). Security Identifiers. Retrieved November 30, 2017. ↩
-
Microsoft. (n.d.). Active Directory Schema - SID-History attribute. Retrieved November 30, 2017. ↩
-
Microsoft. (2017, June 23). Well-known security identifiers in Windows operating systems. Retrieved November 30, 2017. ↩
-
Microsoft. (n.d.). Active Directory Cmdlets - Get-ADUser. Retrieved November 30, 2017. ↩
-
Metcalf, S. (2015, September 19). Sneaky Active Directory Persistence #14: SID History. Retrieved November 30, 2017. ↩
-
Microsoft. (n.d.). Using DsAddSidHistory. Retrieved November 30, 2017. ↩
-
Microsoft. (2014, November 19). Security Considerations for Trusts. Retrieved November 30, 2017. ↩
-
Microsoft. (n.d.). Configuring SID Filter Quarantining on External Trusts. Retrieved November 30, 2017. ↩
-
Microsoft. (2012, September 11). Command-Line Reference - Netdom Trust. Retrieved November 30, 2017. ↩
-
Metcalf, S. (2015, August 7). Kerberos Golden Tickets are Now More Golden. Retrieved December 1, 2017. ↩
-
Metcalf, S. (2015, November 13). Unofficial Guide to Mimikatz & Command Reference. Retrieved December 23, 2015. ↩
-
Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. ↩